Thursday, October 29, 2015

So I went to the Department of Commerce to speak at one of their export control working group meetings. It was fascinating. Not my talk, which is here, but the meeting itself.

For example, one of the items on the list was the machine used to make wrapping paper. Apparently modern wrapping paper is very similar to stealth coatings and other important things. But obviously, restricting a machine used to make wrapping paper is a useless task.

The Commerce Department is not crazy about doing dumb things that hurt the US economy. WHICH IS GOOD NEWS FOR THE SECURITY COMMUNITY, because meetings like this one clearly show that they are listening on the "Intrusion items" export control issue, and are unlikely to bow to State Dept or NSA/DoD pressure to eviscerate our whole industry.

Some bulleted thoughts:

State Dept pointed out that while many people think of this as a human rights issue, it is not. This agreement and process is solely about National Security, so we can table all the discussion of human rights issues with regards to "intrusion software"

Nobody in the room (or anywhere else) is willing to support the export control language as written, which means one way or the other it has to change. This includes the human rights community, but also State and NSA (who were in the room)

There was a lot of clarification of the role and value of Penetration Testing as a process, and how that would be adversely affected. We handed out a sample deliverable, for example. Also I invited everyone to INFILTRATE.

FS-ISAC weighed in as an "End User" and said "We are regulated by certain laws, and this proposed wording violates those laws."

The idea that you can separate intrusion software ("not regulated") and software used to generate and control intrusion software ("Super Regulated") was shut down pretty heavily both by the Coalition for Responsible Security and by other speakers

Microsoft is one of the strongest voices against this regulation, along with the Coalition

Commerce does not like regulations with so many carve-outs that they don't have anything actually BEING regulated. They actually like nice clean regulations the way we like nice clean programs. This is not the kind of thing they like.

Other topics that came up: Real time information sharing conflicts with regulation, the fact that any regulation needs to be "cloud friendly", export control not being the place for this sort of thing, many others which point out that this regulation cannot go forward

State Dept has another meeting today, which I'm not going to, but hopefully it will not be a backwards step.